Skip to content

[NO JIRA]: Fix RCE vulnerability in serialize-javascript (GHSA-5c6j-r48x-rmvq)#200

Open
Matthew Robertson (metalix2) wants to merge 4 commits intomainfrom
security/patch-transitive-deps
Open

[NO JIRA]: Fix RCE vulnerability in serialize-javascript (GHSA-5c6j-r48x-rmvq)#200
Matthew Robertson (metalix2) wants to merge 4 commits intomainfrom
security/patch-transitive-deps

Conversation

@metalix2
Copy link
Copy Markdown

@metalix2 Matthew Robertson (metalix2) commented May 5, 2026
edited
Loading

Summary

Patches two high severity vulnerabilities in transitive dependencies.

1. RCE in serialize-javascript (GHSA-5c6j-r48x-rmvq)

serialize-javascript (<= 7.0.2) is vulnerable to code injection via RegExp.flags and Date.prototype.toISOString() — an incomplete fix for CVE-2020-7660. If an attacker can control the input object passed to serialize(), they can inject malicious JavaScript that executes when the serialized string is later evaluated (via eval, new Function, or <script> tags).

  • Severity: High (CVSS 8.1)
  • CWE: CWE-96 (Static Code Injection)
  • Fix: serialize-javascript >= 7.0.3

2. DoS via unlimited recursion in underscore (GHSA-qpx9-hpmf-5gmw, CVE-2026-27601)

underscore (<= 1.13.7) has unlimited recursion in _.flatten and _.isEqual. Under specific conditions, an attacker could exploit this for Denial of Service by triggering a stack overflow via deeply nested data structures from untrusted input.

  • Severity: High
  • Fix: underscore >= 1.13.8
  • Mitigation in this PR: Pin bfj to exact 7.0.2 which does not depend on underscore. Version 7.1.0+ introduces jsonpath which pulls in the vulnerable underscore.

Changes

  • Bump css-minimizer-webpack-plugin ^3.4.1 → ^8.0.0 (pulls serialize-javascript@^7.0.3)
  • Bump terser-webpack-plugin ^5.2.5 → ^5.5.0 (drops serialize-javascript dep entirely)
  • Bump workbox-webpack-plugin ^6.6.1 → ^7.4.1 (replaces deprecated rollup-plugin-terser)
  • Pin bfj to exact 7.0.2 (prevents drift to 7.1.0 which introduces underscore vulnerability via jsonpath)
  • Add serialize-javascript override in root for workspace deps (docusaurus)
  • Bump Node engine to >=20.9.0 (required by css-minimizer v8 and workbox v7)

Consumer Impact

Consumers of @skyscanner/backpack-react-scripts will automatically get patched versions — no action needed on their part.

Test plan

  • npm run build passes with new dependency versions
  • Verified all serialize-javascript instances resolve to 7.0.5
  • Verified no underscore in dependency tree
  • CI passes

🤖 Generated with Claude Code

@metalix2 @claude
[NO JIRA]: Pin transitive deps to patch security vulnerabilities
86ef500 
Add npm overrides to pin serialize-javascript@7.0.5 and bfj@7.0.2
to prevent resolution of versions with known vulnerabilities.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 5, 2026 09:42
Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds npm-level dependency pinning to reduce exposure to known vulnerabilities by forcing specific transitive versions during installs of this repository.

Changes:

  • Added npm overrides to force serialize-javascript@7.0.5
  • Added npm overrides to force bfj@7.0.2

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Comment thread package.json Outdated
Comment thread package.json
Matthew Robertson (metalix2) and others added 2 commits May 5, 2026 10:58
@metalix2 @claude
[NO JIRA]: Patch security vulnerabilities in transitive deps
5b16cca 
- Bump css-minimizer-webpack-plugin to ^8.0.0 (pulls serialize-javascript@^7.0.3)
- Bump terser-webpack-plugin to ^5.5.0 (drops serialize-javascript dep entirely)
- Bump workbox-webpack-plugin to ^7.4.1 (replaces deprecated rollup-plugin-terser)
- Pin serialize-javascript and bfj via overrides in root package.json
- Bump Node engine to >=20.9.0 (required by css-minimizer v8 and workbox v7)

Consumers will now automatically get serialize-javascript@7.0.5 without
needing to add their own overrides.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@metalix2 @claude
[NO JIRA]: Pin bfj to exact version, remove redundant override
576dd70 
- Pin bfj to exact 7.0.2 in react-scripts (prevents consumers resolving
  to 7.1.0 which introduces underscore vulnerability via jsonpath)
- Remove bfj override from root (exact pin handles it)
- Keep serialize-javascript override for docusaurus workspace deps

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@metalix2 Matthew Robertson (metalix2) changed the title [NO JIRA]: Pin transitive deps for security patches [NO JIRA]: Fix RCE vulnerability in serialize-javascript (GHSA-5c6j-r48x-rmvq) May 5, 2026
@metalix2 @claude
[NO JIRA]: Update CI to Node 20
29af534 
serialize-javascript@7.0.5 uses crypto.getRandomValues() which
requires Node 19+ as a global. Update all CI workflows from Node 18
to Node 20 to match the engine requirement.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@metalix2